Extract shsq

 

As we know the normal Magic number is 0x73717368("hsqs").

But some vendors modified the squashfs format to support LZMA, and changed the magic to 0x71736873("shsq").

But now, squashfs has already supported LZMA. Thus we can modify our binary image and let unsquashfs do its work.

1. Open image with a hex edtor or create your own tool.
2. Change the magic "shsq" to "hsqs" at the beginning of the image.
3. Change compression_id(image_header[20]) from "1-GZIP" to "2-LZMA". 

4. run unsquashfs as usual.

ref:https://dr-emann.github.io/squashfs/ 

Run arm rootfs with QEMU user

Extract or mount your rootfs to a dir. For example: ./rootfs

Install qemu-user-binfmt.

This package will tell kernel run arm ELF with qemu-user.

sudo apt install qemu-user-binfmt

To see what are installed:

ls  /proc/sys/fs/binfmt_misc/

cat /proc/sys/fs/binfmt_misc/qemu-arm

Now, we can find that the interpreter of arm ELF is changed to /usr/bin/qemu-arm-static.

The interpreter could be /usr/bin/qemu-arm depending your installation order of QEMU packages. 

When we call chroot, kernel will use the interpreter to run ELFs. So we need put qemu-arm-static into the chrooted "root".

If your interpreter is /usr/bin/qemu-arm-static:

cp `which qemu-arm-static` ./rootfs/usr/bin/

If your interpreter is /usr/bin/qemu-arm:

cp `which qemu-arm-static` ./rootfs/usr/bin/qemu-arm

 OK, we can chroot now.

chroot ./rootfs/ /bin/ash

Enjoy!

Install tips for python3 virtualenvwrapper

• Do not install with apt, use pip.

sudo pip3 install virtualenvwrapper

• Edit ~/.bashrc

export WORKON_HOME="/home/xxx/you_name_it"

export VIRTUALENVWRAPPER_PYTHON="/usr/bin/python3"

source /usr/local/bin/virtualenvwrapper.sh

A Piece Of Cake @www.jarvisoj.com

nit yqmg mqrqn bxw mtjtm nq rqni fiklvbxu mqrqnl xwg dvmnzxu lqjnyxmt xatwnl, rzn nit uxnntm xmt zlzxuuk mtjtmmtg nq xl rqnl. nitmt vl wq bqwltwlzl qw yivbi exbivwtl pzxuvjk xl mqrqnl rzn nitmt vl atwtmxu xamttetwn xeqwa tsftmnl, xwg nit fzruvb, nixn mqrqnl ntwg nq gq lqet qm xuu qj nit jquuqyvwa: xbbtfn tutbnmqwvb fmqamxeevwa, fmqbtll gxnx qm fiklvbxu ftmbtfnvqwl tutbnmqwvbxuuk, qftmxnt xznqwqeqzluk nq lqet gtamtt, eqdt xmqzwg, qftmxnt fiklvbxu fxmnl qj vnltuj qm fiklvbxu fmqbtlltl, ltwlt xwg exwvfzuxnt nitvm twdvmqwetwn, xwg tsivrvn vwntuuvatwn rtixdvqm - tlftbvxuuk rtixdvqm yivbi evevbl izexwl qm qnitm xwvexul. juxa vl lzrlnvnzntfxllvldtmktxlkkqzaqnvn. buqltuk mtuxntg nq nit bqwbtfn qj x mqrqn vl nit jvtug qj lkwnitnvb rvquqak, yivbi lnzgvtl twnvnvtl yiqlt wxnzmt vl eqmt bqefxmxrut nq rtvwal nixw nq exbivwtl.   

################################################

{'a': 'g',
 'b': 'c',
 'c': '*',
 'd': 'v',
 'e': 'm',
 'f': 'p',
 'g': 'd',
 'h': '*',
 'i': 'h',
 'j': 'f',
 'k': 'y',
 'l': 's',
 'm': 'r',
 'n': 't',
 'o': '*',
 'p': 'q',
 'q': 'o',
 'r': 'b',
 's': 'x',
 't': 'e',
 'u': 'l',
 'v': 'i',
 'w': 'n',
 'x': 'a',
 'y': 'w',
 'z': 'u',
 ' ': ' ',
 ',': ',',
 '.': '.',
 ':': ':',
 '-': '-'}

wifi.cap.d4e4d22bc8fe925bf0ccb9382056ce8e crack problem

wifi.cap.d4e4d22bc8fe925bf0ccb9382056ce8e is a challenge @ https://www.jarvisoj.com.

It is in the BASIC Tab.

I got the cap file, and run with aircrack-ng in WSL, then got the output below:

aircrack-ng -w p.txt wifi.cap.d4e4d22bc8fe925bf0ccb9382056ce8e
Reading packets, please wait...
Opening wifi.cap.d4e4d22bc8fe925bf0ccb9382056ce8e
Read 6539 packets.

   #  BSSID              ESSID                     Encryption

   1  56:0A:64:FF:E9:17  Flag_is_here              WPA (0 handshake)

Choosing first network as target.

Reading packets, please wait...
Opening wifi.cap.d4e4d22bc8fe925bf0ccb9382056ce8e
Read 6539 packets.

1 potential targets

Packets contained no EAPOL data; unable to process this AP.

But I tried it again on my VPS, and got the key normally...

                                 Aircrack-ng 1.2 beta3


                   [00:00:00] 1 keys tested (700.40 k/s)


                           KEY FOUND! [ 11223344 ]


      Master Key     : 38 19 96 51 DB 57 C2 29 A4 5A 55 D9 20 25 6C 3B
                       D5 21 9B C7 8C 0B 42 EB 01 67 BB 4E 38 EC 44 42

      Transient Key  : 76 BD EF 88 51 07 CA B3 DC 30 7D 7E AA 49 AC 2E
                       9A 38 29 FD AF 1E 59 C7 A3 9F 9D C0 1C 91 53 AA
                       DA BE 57 43 0C 21 FA CA 66 DE F4 72 47 E0 B0 35
                       72 55 6E 13 16 66 D0 2E 74 4E 4C 05 DE 46 BC 9B

      EAPOL HMAC     : 91 B7 11 2F 71 48 42 6E 20 02 F7 CC 79 FA 6C 31

Then I found the versions of aircrack-ng in different machines were different. One is 1.2 beta, the other is 1.6 .

I don't know if it's the version or the WSL caused this problem.

 

How to Cheat in Clicker Hero2 with CE

Clicker Hero2 is a fun game.
For having more fun with this game, I want to use my cheat engine on it.

Some values can be easily found. Like ruby, energy, mana . But others can not be simply found with the value displayed in the game.

After some analazing, I sovled the mystery.
The values are saved in the format of  Scientific notation.(https://en.wikipedia.org/wiki/Scientific_notation)
A value is divided into 2 double(8 byte) memory.
The first is coefficient(the value before "e"), the second is the exponent（The value after "e"）.

If the gold displayed on the screen is 44.3e10 or 443e9,  just scan the double value 4.43(NOT 44.3, NOT 443) .
When you found the address, add it to the address list.
Then right click the list item we just added, choose "Browse this memory region".
In the "Memory Viewer", right click the value displayed as hex, choose "Display type -> Double".

Now you can find your GOLD here. Double click to change the value.

UPDATE:

About Skill Point.

Skill point is not saved in memory directly, but the difference between Level and Points.

SavedValue = Level - Points -1

And SavedValue is also in the format of  Scientific notation.

Enjoy!

brut.common.BrutException when using apktool build apk

 When rebuild an APK using apktool, I run into this problem:

brut.androlib.AndrolibException: brut.common.BrutException: could not exec (exit code = 1):

Try this:

apktool b --use-aapt2 -o unsigned_apk.apk .\app-debug\

It works for me this time,

but this may not working for any APK for all the time.